New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add basic auth to /metrics endpoint #2322
Comments
@gavinelder I'm adding your comment from the separate "[FR] Separate internal / external endpoints" issue here:
Maybe the first step is to add basic auth for both Later, Fleet might want to make it easier to allow more granular control over which endpoints are public v. internal. |
What about the following three options:
The above is the secure by default approach but we should discuss because it's sort of a "breaking change". |
What if we go with metrics are turned off by default and only enabled if the credentials are provided? I suspect not many teams are actually using the metrics, so we'll break the fewest installations if we go that way. |
Works too, it's a good trade off between security <-> deployment-ease. |
I've updated the issue description. |
This would probably close down the linked issue in #3614 |
Goal
Though the
/metrics
endpoint doesn't contain anything particularly sensitive, it is desirable to keep this behind authentication.Prometheus supports scraping with basic auth (see https://prometheus.io/docs/prometheus/latest/configuration/configuration/#scrape_config).
Tasks
prometheus_username
andprometheus_password
Server configuration option and use this to authenticate the/metrics
endpoint with basic auth.The text was updated successfully, but these errors were encountered: